Wednesday, January 29, 2014

Kindle Fire HDX File System Extraction



Kindle Fire HDX Robber http://s2.hubimg.com/u/1290317_f260.jpg
Kindle Fire HDX Robber


Yesterday I was trying to get a physical image of my Kindle Fire HDX 7 software version 13.3.1.0 using the Cellebrite Touch Ultimate and did not have any luck. I found that the operating system is Fire OS 3 which branched off from Android 4.2.2. Even if I could have got an image I would have needed to wait for the dongle for the UFED Physical Analyzer to get updated. 

Today I came into the lab thinking I could use the UFED Physical Analyzer to take a physical image of the Kindle. It turns out that the software is used to view the physical image, not to take one. Thus I needed to get an image somehow. I took out the Cellebrite Touch Ultimate again and took another look at my options. There is an option to take a physical extraction of the file system. I figured this would provide me with all of the forensically important data. The state of the Kindle is restored to factory settings as if it had never been used. This physical extraction should serve as a base line.

The extraction gave me 158 images, four videos, 193 text, and 93 databases. My initial inventory of the information reveals a lot of interesting data within the databases. For example:

/data/data/com.amazon.venezia/app_amazon_webview/amazon_webview/Archived History contains keyword search terms, urls, visit sources, and visits. /data/data/com.amazon.cloud9/databases/browser.db contains domain performance statistics, pages, saved pages, stock searches, tab history, tabs, trending pages, url performance statistics, and user agent preferences. Six pages are already set: Amazon.com, Bing, Facebook, Yahoo!, Wikipedia, and YouTube. /data/data/com.android.providers.calendar/databases/calendar.db contains Calendar Alerts, Calendar Cache, Calendars, Events, and Reminders. /data/data/com.amazon.zico/databases/cloud_drive.db contains files to pin, files to upload, opened files, pinned objects, and serialized values. It is interesting that there is data on the Kindle that is related to the cloud drive which should store data outside the Kindle. /data/data/com.amazon.kindle.cms/databases/cms.db contains apps (there are already eleven: com.amazon.camera, com.amazon.settings, com.amazon.email, com.amazon.contacts, com.amazon.deskclock, com.amazon.cloud9, com.amazon.csapp, com.amazon. windowshop, com.amazon. tahoe, com.goodreads.kindle, com.android.calender), audiobooks, books, carousel, collections, docs, favorites, music, periodicals, recommendations, user items, and users. It is interesting that I could not view user items and there are 41 of them. /data/data/com.android.providers.contacts/databases/contacts2.db contains accounts, calls, contacts, data, data usage statistics, groups, names lookup, nickname lookup, phone lookup, photo files, raw contacts, settings, status updates, stream item photos, stream items, visible contacts, and voicemail status. This is very interesting to me. I believe the Kindle Fire HDX has the capability to make phone calls, but it is not enabled normally. I wonder if a rooted Kindle could make phone calls. /data/data/com.amazon.mp3/databases/DownloadLibrary.db contains information on music such as albums, artists, downloaded items, genres, playlists, and tracks. /data/data/com.android.providers.downloads/databases/downloads.db contains downloads /data/data/com.android.email/databases/EmailProvider.db contains Account, Attachments, DMetrics, HostAuth, Mailbox, Messages, Deleted Messages, Message Updates, Policy, and Quick Response. /data/data/com.amazon.venezia/app_amazon_webview/amazon_webview/History contains downloads, keyword search terms, urls, visit source, and visits. /data/data/com.android.providers.telephony/databases/mmssms.db indicates the possibility of texting. MMS is Multimedia Messaging Service and SMS is Short Message Service. Interesting, maybe a rooted Kindle could send and receive texts. /data/data/com.amazon.venezia/files/resources/res.db contains 2178 strings such as “forgot password?” or “To continue, enter your Amazon password:” and each string is presented in five languages English, Japanese, Chinese, Spanish, and French. /data/securedStorageLocation/com.amazon.tahoe/databases/tahoe.db I am not quite sure what tahoe.db. I saw it before as an app that was already installed. I would like to find out more what this is for. /data/data/com.amazon.avod/databases/webview.db contains formdata, formurl, httpauth, and password. It is interesting that there are passwords stored here. I am curious if they are for online accounts and if they are in plain text or encrypted with hash values. I am also curious how secure these are and if they could be cracked if they are encrypted.
File System Extraction Analysis

Posted by at
Labels: , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)